TzuSec.com

Cybersecurity Demystified

Tag: Azure

What is DKIM and how do you enable IT in Microsoft 365?

Posted on by Rickard

What is DKIM?

DKIM stands for DomainKeys Identified Mail and is an email autentication method. It helps the receiving mail server to verify whether an email have been sent from an allowed email server or not.

The idea of DKIM is that the senders email servers are signing all outgoing messages with asymmetric encryption. The receiving email servers can then easily verify the email signing with help of the senders public key that are being stored in the sending domains DNS.

If users would need to manually sign messages and manually verify all messages it would be a pain in the ass for them and no one would use it. Nowadays most modern email systems have built-in support for DKIM to make the process smooth and automated.

How to enable DKIM?

The implementation of DKIM is different for different vendors but the idea is the same. The senders generates a asymmetric key pair and signs all outgoing emails. The receiver of the email can use the senders public key to verify that the email were signed by the correct server. Microsofts email cloud service Exchange Online is very popular so I will now describe how you can enable DKIM signing in Microsoft 365.

Enable DKIM signing in Microsoft 365

Microsoft 365 have built-in support for DKIM signing. This guide will show you how easy it is to enable and configure.

  1. Step one is to browse and login to the following site: https://security.microsoft.com/dkimv2
  2. You will now see an overview of all of your accepted domains of your tenant, click on the domain you want to enable DKIM for:

  3. Press “Sign messages for this domain with DKIM signatures”

  4. You will now get a pop-up windows which instructs you to create two CNAME post in your DNS. Copy these instructions and login to your DNS provider
  5. Create and publish the two CNAME posts in you DNS based on the instructions, usually it is by the following format:
    1. Selector 1
      • Name: selector1._domainkey
      • Type: CNAME
      • Value: selector1-<customDomainIdentifier>._domainkey.<initialDomain>
        • Example: selector1-tzusec-com._domainkey.tzusec.onmicrosoft.com
      • TTL: 3600
    2. Selector 2
      • Name: selector2._domainkey
      • Type: CNAME
      • Value: selector2-<customDomainIdentifier>._domainkey.<initialDomain>
        • Example: selector2-tzusec-com._domainkey.tzusec.onmicrosoft.com
      • TTL: 3600
  6. When the post have been published go back to the DKIM page in Microsoft 365 and press “Sign messages for this domain with DKIM signatures” again.
  7. When Microsoft have verified that the CNAME posts are correct signing will be enabled and you have successfully enabled DKIM signing for all of your outgoing emails, great job!

The next step is to verify that the signing works correctly and you can do that manually by inspecting the headers of an email sent from the email server. I will describe how you can do that in a future blog. Feel free to contact me on twitter if you have any questions.

// Rickard Carlsson

How to prepare your CentOS 7 machine to Microsoft Azure

Posted on by Rickard

This guide will help you prepare your CentOS 7 server for a migration from on-premise to Microsoft Azure cloud. It can be a bit tricky to get everything to work correctly and personally I didn’t find Microsofts guides to be great so I write this post to help you with the steps that is needed to migrate your old CentOS 7 machine to the cloud.

What you need to configure

  • Install Azure Linux Agent
  • Network Configuration
  • Hyper-V Drivers Configuration
  • Serial Console Configuration

How to do it

Install Azure Linux Agent

Install the Azure Linux Agent with yum.
yum install WaLinuxAgent

Network Configuration

The network interface needs to be configured to use DHCP and you need to add the hyper-v drivers to the interface. You can either do it by configuring your existing networki interface (eth0) or create a new one:

1. Create a configuration file for the interface
vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"
BOOTPROTO=dhcp
ONBOOT=yes

Save the file with :wq

2. Map the networking card to the Hyper-V drivers by appending the following line to the 70-persistent-net.rules file.

vim /etc/udev/rules.d/70-persistent-net.rules

#For Azure
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="hv_netvsc", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Save the file with :wq

Hyper-V Drivers Configuration

  1. Add Hyper-V drivers to Dracut
    vim /etc/dracut.conf
    add_drivers+=" hv_vmbus hv_netvsc hv_storvsc nvme ena xen_blkfront xen_netfront mptbase mptscsih mptspi "
  2. Update Initramfs by running the following command:
    dracut --force -v
  3. Verify that the Hyper-V modules have been loaded
    lsinitrd | grep hv

Serial Console Configuration

Azure uses ttyS0 for serial connection so we need to add it to our configuration.

  1. First add ttyS0 to secureetty by appending the following
    vim /etc/secureetty
    #add
    ttyS0
  2. Configure grub
    vim /etc/default/grub
    #Add
    GRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0"

    After saving the file run the following command
    grub2-mkconfig -o /boot/grub2/grub.cfg
  3. Activate serial service
    Copy, link and activate the serial-getty service for ttys0.

    Copy:
    cp /usr/lib/systemd/system/serial-getty@.service /etc/systemd/system/serial-getty@ttyS0.service

    Create a symlink:
    ln -s /etc/systemd/system/serial-getty@ttyS0.service /etc/systemd/system/getty.target.wants/

    Reload the daemon, then start and enable the service:
    systemctl daemon-reload
    systemctl start serial-getty@ttyS0.service
    systemctl enable serial-getty@ttyS0.service

Now you are ready for a migration to Microsoft Azure. I hope you found this guide helpful and that you will succeed with your cloud transformation.

Note: If you are running CentOS 6 I also have a guide for preparing your server for Azure.

// Rickard Carlsson

How to prepare your CentOS 6 machine to Microsoft Azure

Posted on by Rickard
CentOS 6 to Azure

This guide will help you prepare your CentOS 6 server for a migration from on-premise to Microsoft Azure cloud. It can be a bit tricky to get everything to work correctly and personally I didn’t find Microsofts guides to be great so I write this post to help you with the steps that is needed to migrate your old CentOS 6 machine to the cloud.

What you need to configure

  • Install Azure Linux Agent
  • Network Configuration
  • Hyper-V Drivers Configuration
  • Serial Console Configuration

How to do it

Install Azure Linux Agent

Note: You will probably need to fix mirror configuration since CentOS 6 is EOL. Instructions can be found on the following link.

  • Alternative 1
    yum install WaLinuxAgent
  • Alternative 2
    cd /tmp
    wget http://olcentgbl.trafficmanager.net/openlogic/6/openlogic/x86_64/RPMS/WALinuxAgent-2.2.45-1.el6.noarch.rpm
    yum localinstall WALinuxAgent-2.2.45-1.el6.noarch.rpm

Network Configuration

The network interface needs to be configured to use DHCP and you need to add the hyper-v drivers to the interface. You can either do it by configuring your existing networki interface (eth0) or create a new one:

1. Create a configuration file for the interface
vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"
BOOTPROTO=dhcp
ONBOOT=yes

Save the file with :wq

2. Map the networking card to the Hyper-V drivers by appending the following line to the 70-persistent-net.rules file.

vim /etc/udev/rules.d/70-persistent-net.rules

#For Azure
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="hv_netvsc", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Save the file with :wq

Hyper-V Drivers Configuration

  1. Add Hyper-V drivers to Dracut

    vim /etc/dracut.conf

    add_drivers+=" hv_vmbus hv_netvsc hv_storvsc nvme ena xen_blkfront xen_netfront mptbase mptscsih mptspi "
  2. Update Initramfs by running the following command:

    dracut --force -v
  3. Verify that the Hyper-V modules have been loaded

    lsinitrd | grep hv

Serial Console Configuration

Azure uses ttyS0 for serial connection so we need to add it to our configuration.

  1. First add ttyS0 to secureetty by appending the following

    vim /etc/secureetty
    #add
    ttyS0
  2. Configure grub

    vim /boot/grub/grub.conf

    #add below configuration to kernel
    rootdelay=300 console=ttyS0 earlyprintk=ttyS0

    #also remove
    rhgb quiet crashkernel=auto
  3. Configure sysconfig/init

    vim /etc/sysconfig/init

    #Edit ACTIVE_CONSOLES to look like (make sure to use “”):
    ACTIVE_CONSOLES="/dev/tty[1-6] /dev/ttyS0"

    Also make sure to configure:
    timeout=15
    serial --unit=0 --speed=115200
    terminal --timeout=5 serial console

Now you are ready for a migration to Microsoft Azure. I hope you found this guide helpful and that you will succeed with your cloud transformation.

Note: If you are running CentOS 7 I also have a guide for preparing your server for Azure.

// Rickard Carlsson

How to connect to Azure with SSH Tunneling

Posted on by Rickard

Have you just created your first Azure VM and are looking for a good, secure way to connect to you new machine without exposing more than necessary to the internet? Maybe you just want to run a few machines and don’t want to spend money on firewalls to configure VPN to your Azure Virtual Network (VNET)?

Connect-to-Azure-SSH-tunneling

In this post I will explain a method that can be used to connect to your machine securely without any cost. After reading this post you will know how you can set up a SSH tunnel to your machine so you only need to expose TCP port 22 to the internet. I will also show you how you can limit the access to that port by configuring a Network Security Group (NSG) in Microsoft Azure to only allow your own IP to connect. You will connect to the VM using Putty and either Google Chrome or Mozilla Firefox. We start off by configuring the NSG in Azure.

Configuring NSG in Azure:
The first thing that we need to do is to allow you to SSH to your machine and we do that by configuring the NSG. You want to modify the inbound security rule named ‘default-allow-ssh’ and you do that by clicking on ‘Inbound security rules’ in the left menu.

nsg

You should now add your public IP to the rule to allow you to connect from your home network. You probably know how to get your public IP but if you don’t know, one simple way is by visiting https://ipinfo.io and copy the address from there.

publicip

When you have the IP ready, click on the ‘default-allow-ssh’-rule to expand it and then add your IP to ‘Source IP addresses/CIDR ranges’ and press ‘Save’.

nsg2

The Azure configuration is now done. Lets move on to the Putty configuration.

Configuring Putty:
If you don’t have Putty installed you can download it from the official website and then just install it. After you have installed the software the first step is to run Putty and add the public IP of your Azure VM and select SSH port 22.

putty

Then navigate to SSH and check ‘Don’t start a shell or command at all’.

putty2

Move on by expanding SSH (+) and go to Tunnels. Add a forwarded port by choosing ‘Source port’. In this example we use port 1080. Select ‘Dynamic’ for destination and then press ‘Add’. Now you should see ‘D1080’ added above.

putty3

If you don’t want to configure these settings every time you want to use the tunnel you can save the session. That is done by going back to ‘Session’ and enter a name and then press ‘Save’.

putty4

Now the tunnel is ready and we just need to start it. Click on ‘Open’, enter your SSH credentials and press enter and the tunnel should be up and running.

Verify that the tunnel works:
You will probably want to make sure that the tunnel works as expected and we can verify that by configuring a simple HTTP server on the VM. In this example CentOS7 was used but it can be done on most machines.

Step one is to open another putty window and connect to you VM via SSH. Navigate to your home folder (cd /home) and create a directory (mkdir testfolder). Cd into that folder and create a testfile (touch text.txt). Then run the following command to run a python based HTTP-server on port 80. 

sudo python -m SimpleHTTPServer 80

Your server will now listen for incoming connections on port 80. But since you don’t allow any connections to port 80 in the NSG you won’t be able to go directly to port 80. We need to send our HTTP traffic in the SSH tunnel to be able to reach it and we do that by configuring proxy settings in our web browser. This can be done in most of the common browsers and I will show you how to do it in Firefox and Chrome.

Chrome:
To configure proxy for Chrome you just right click on Chrome in the task bar and select ‘Properties’. You then need to add some run parameters.

chrome

The parameters you should add are:

--user-data-dir="%USERPROFILE%\proxy-profile" 
--proxy-server="socks5://127.0.0.1:1080"

Firefox:
For Firefox you just open up the browser, open the menu (1) and click on ‘Options’ (2).

firefox

Then you search for proxy and click on ‘Settings’

proxyfirefox

Select ‘Manual proxy configuration'(3) and then add ‘Socks Host 127.0.0.1 Port 1080′(4) and ‘SOCKS v5’ like in the example below.

firefox-proxy

After configuring the proxy settings you can just browse to the internal IP of your Azure VM. You can find the internal IP in the overview of the VM.

az-vm-private-ip

Then just browse to the IP ‘http://10.0.0.4’

result

Voila, you should now see the test file (test.txt) that you created earlier.

I really hope you found this guide useful, if you have any questions or reflections please send me a message on twitter.

/Rickard

Copyright © 2022